What is ISO 27001 and why should a company adopt it?
Do you have smiling employees (or are surrounded by) employees that smile?
Perhaps not the first thing that you would think of as a benefit of ISO 27001. However if you design and implement a great information Security Management System with a process focus then you will also see internal business gains such as better efficiency and higher productivity. Hence, less stress for your employees and more interesting and engaging work = smiling employees.
This is, however, often not why organisations decide to implement ISO 27001. Typically, they start because they have external customer requirements. Recent research from 451 Research shows that the hosting and cloud market is growing significantly but customers are increasingly looking for evidence of Security and Compliance. Likewise, bids and tenders from UK Government Departments require products and services to be accredited to IL2 or IL3, which again requires ISO 27001 certification.
ISO 27001 is the international standard for information security. The standard is an excellent framework for anyone who has information assets that needs protection. You can use the framework to help you improve your business and you can use the framework to obtain external verification through ISO certification that can help create trust with your potential customers.
Designing and implementing an ISMS (Information Security Management System) will not only mean more business for your business, it will also provide you with a platform for protection of your most important assets as well as give you a system that will ensure business continuity should the security defences be compromised.
Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities. Information security is achieved by implementing a suitable set of controls, including policies, processes, procedures, organizational structures, software and hardware. (Can you buy security? No, but you can use ISO 27001 to get closer!)
These controls need to be established, implemented, monitored, reviewed and improved, where necessary, to ensure that the specific security and business objectives of the organization are met.
The typical approach to ISO 27001 is to begin with creating awareness in your organisation. This might be through workshops and presentations, but it is extremely important that everybody is aware and on-board with the project. The next step is to understand where you as an organisation are in terms of information security and what gaps you need to close for a complete ISO 27001 implementation. Now you are ready to start the project including budget, risk assessment, risk treatment plan, defining controls, write documentation, train employees, run the system, perform audits and then finish with an external certification audits.
As you can properly imagine this kind of ISO 27001 certification projects can vary tremendously in both time and cost. It all depends on the existing maturity of the organisation as well as the complexity of the organisation and how many gaps you need to close before you are ready for certification. I have seen projects that took 3-4 months but a typical project will take somewhere between 9 months and a year. Likewise, cost is even more difficult to establish upfront as this will also depend on the maturity and gaps. In addition, cost will also depend on size of the organisation, the risk assessment, the level of protection you need, technology, legislation, etc. The important thing to note is that the foundation is the risk assessment. There is no point investing too much in something that is either not a significant risk or has a high criticality to your business. The typical cost are project management, external consulting, technology, training, employee time and certification. (What does ISO 27001 certification cost…and what does it cost if you don’t?).
However, if done correctly, this investment will pay dividends in a better run business with more customers and less incidents and downtime (and perhaps employees that smile?).
The cost of not doing ISO 27001 can be significant and there are plenty of research to support this for example Ponemon Institute’s 2013 Cost of Cyber Crime study finds the average company experiences more than 100 successful cyber-attacks each year at a cost of $11.6M. The study also shows that those employing good security governance practices reduced costs by an average of $1.5M.